Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam

Webinar: Evaluation - 05.12

>
>
>
The risks of using vulnerable dependenc…

The risks of using vulnerable dependencies in your project, and how SCA helps manage them

Sep 06 2022

Most applications today use third-party libraries. If such a library contains a vulnerability, an app that uses this library may also be vulnerable. But how can you identify such problematic dependencies?

0987_PVS-Studio_SCA/image1.png

Dangers of vulnerable components

Let's say we have a simple web app that uses RestSharp, a fairly well-known REST API client library for .NET.

Our app receives some data in JSON format. Let's simplify it a bit and imagine that the handler receives the date string and parses it using the RestSharp extension method:

[HttpPost]
public IActionResult Index(string jsonDate)
{
  DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);

  // do something

  return View();
}

It seems the worst thing that may happen — the string in jsonDate would have incorrect date format. However, here's what would happen:

  • the dateTime object will receive the default value;
  • then the value will be processed in a specific way;
  • the sender will receive a reply.

So, is this code secure?

It depends on the RestSharp library version. If the version is earlier than 106.11.7, the library is vulnerable to ReDoS attacks (CVE-2021-27293). So, what? What does it all add up?

The point is that our request handler uses the ParseJsonDate function that uses a vulnerable regular expression. Hence, our application is vulnerable to ReDoS attacks as well.

To make sure that our application is vulnerable, I sent my app 10-15 requests from a browser at once. I passed the following string as the JSON date to my application:

new Date(000000000000000000000000000000000000000000000000000000000000000000

At the same time, I was using Process Hacker to monitor how the web service was consuming my system resources:

0987_PVS-Studio_SCA/image2.png

I wish I could send a dozen more requests, but my browser has frozen :(.

Let's get back to the code:

[HttpPost]
public IActionResult Index(string jsonDate)
{
  DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);

  // do something

  return View();
}

It looks pretty innocuous, doesn't it? But if a real web application has similar code, it may be attacked and lead to a server overload (provided that a vulnerable version of RestSharp is used).

All right, everything is clear with RestSharp. We just need to update it to the newest version. And the app is secure, right?

Not really... Only one dependency is secure. What about others?

The ways to check a project for vulnerable components

SCA (Software Composition Analysis) is a tool that identifies open-source software vulnerabilities. Originally, SCA was used to manage the license compliance risks, but over the time the product has been scaled up. And now one of its main features is the detection of vulnerable components.

If the project depends on something insecure, the SCA solution reports a message as follows:

Referenced package RestSharp 106.11.5 contains vulnerability according to CVE-2021-27293: Incorrect Regular Expression in RestSharp.

Today we have various tools for dependency analysis. Some tools also integrate SAST (static application security testing). This allows you to look for potential vulnerabilities that can lead to attacks like XXE, SQL injection, XSS, etc. If you integrate both SAST and SCA, you'll be able to diagnose the problems both in source code and in dependencies.

If you are a C# programmer, you can try PVS-Studio: it integrates SAST and SCA tools. Download the trial here. To look for security flaws, enable OWASP diagnostics (the V5625 diagnostic searches for vulnerable dependencies).

Also, there are solutions for other programming languages. Here are the most popular tools:

  • Mend (formerly WhiteSource) is a powerful solution from WhiteSource. It enables to check the code (Mend SAST) and dependency (Mend SCA) security.
  • Black Duck is one of the main Synopsys products. It focuses specifically on dependency analysis. Although the company also has a tool for static security analysis — Coverity.
  • Veracode provides popular solutions to look for security flaws in dependencies and code: Veracode Static Analysis (SAST) and Veracode Software Composition Analysis (SCA).

Conclusion

Any application may be vulnerable even if its code is correct. Vulnerable dependencies are sometimes hardly to find. So, the risks are really high because such dependencies may impact the app operation a lot.

SCA tools are not perfect — they can't make your code 100% secure. However, they definitely help detect vulnerable components. Moreover, you don't have to do it manually :).

Popular related articles


Comments (0)

Next comments next comments
close comment form